A heavier weight to carry: despite initial pressures to emphasize financial controls more than governance, internal auditors are now bearing additional responsibility for both--and raising their stature as a result.IF YOU LEFT INTERNAL AUDITING FIVE YEARS AGO to ranch minks ranch mink n. A mink bred in captivity from Alaskan and Labrador strains for special pelt colors and qualities. or produce film documentaries and just returned, you'd be forgiven if you hardly recognized the myriad Myriad is a classical Greek name for the number 104 = 10 000. In modern English the word refers to an unspecified large quantity. The term myriad is a progression in the commonly used system of describing numbers using tens and hundreds. new ways companies now focus on internal controls. Laws have changed throughout the world, famously fa·mous·ly adv. 1. In a way or to an extent that is well known: "his famously neurotic mannerisms [are] lampooned in the novels of Evelyn Waugh" , and companies have changed--in some cases dramatically--where they allocate resources within the internal controls space. But has there been an intentional in·ten·tion·al adj. 1. Done deliberately; intended: an intentional slight. See Synonyms at voluntary. 2. Having to do with intention. , meaningful, and permanent abandonment of an emphasis on governance in favor of upon the side of; favorable to; for the advantage of. See also: favor a focus on financial reporting? According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. experts, despite a great deal of attention to such a shift, the answer is: "Probably not." [ILLUSTRATION OMITTED] Granted, the flurry Flurry A drastic volume increase in a specific security. of corporate misbehavior in recent years did lead to the U.S. Sarbanes-Oxley Act See SOX. of 2002 and the "Sarbanes-Oxley Lite" and "Little Sarbanes-Oxley" laws and regulations it spawned around the world. And the spell of accounting fraud scandals--epitomized by the likes of Enron, HealthSouth, and WorldCom--also wrought dramatic changes in the way companies allocate and maintain their internal audit resources. Further, it's true that some companies, in their zeal Zeal Bows, Mr. crippled fiddler with intense feelings. [Br. Lit.: Pendennis] Cedric of Rotherwood zealous about restoring Saxon independence. [Br. to comply with a law so gigantic gi·gan·tic adj. 1. Relating to or suggestive of a giant. 2. a. Exceedingly large of its kind: a gigantic toadstool. b. in scope, have devoted huge chunks of manpower and money to financial reporting controls at the expense of other types of audit activities--including governance-related activities. But the big news of the past five years isn't internal audit departments leaving governance behind in favor of financials. Instead, companies have responded to the emphasis on financials by expanding and contracting their focus on governance or financials to varying degrees, with some focusing on one at the expense of the other and others adding human and financial resources for both. Some companies, similarly, have expanded the entire audit function as needed as needed prn. See prn order. to fully change to a new focus on integrated areas of internal controls--with governance, ethics ethics, in philosophy, the study and evaluation of human conduct in the light of moral principles. Moral principles may be viewed either as the standard of conduct that individuals have constructed for themselves or as the body of obligations and duties that a , and financials linked and coordinated in innovative ways--and later contracted the size of the department as the new systems became routine. Others have launched internal audit departments for the first time and operate them at full capacity. Approaches to the post-Sarbanes-Oxley internal audit environment differ significantly, but they all share one thing: Internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. have a higher profile than ever at many companies, and many of them enjoy an unprecedented level of influence and authority. Companies have gone through different stages in the compliance process, explains Lynn Fountain, vice president of risk assessment and audit services at energy distribution company Aquila Inc. in Kansas City Kansas City, two adjacent cities of the same name, one (1990 pop. 149,767), seat of Wyandotte co., NE Kansas (inc. 1859), the other (1990 pop. 435,146), Clay, Jackson, and Platte counties, NW Mo. (inc. 1850). , Mo. "In the first couple of years after Sarbanes-Oxley, there was such a heavy focus on just getting the work done that many people didn't focus on actually understanding the intent of the act," she says. "We all focused on tactics." After looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. ways to make compliance work more efficient in recent years, she notes, internal auditors are shifting their focus to understanding the control environment itself. "Practitioners are getting past all the tactics and are starting to dip their collective toe into the governance pool, asking how internal auditing can meet its objectives in that space. It's a balancing act." EXPANDED AUTHORITY AND INFLUENCE Steve Jameson, executive vice president and chief internal audit and risk officer at Community Trust Bank in Pikeville, Ky., can attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as to that enhanced stature stature /sta·ture/ (stach´ur) the height or tallness of a person standing.stat´ural stat·ure n. The height of a person. stature the height of an animal in the standing position. . Jameson was hired in March 2004 to reestablish internal auditing as an internal function--it had been outsourced previously. Although an emphasis on the financial reporting control mandates in Sarbanes-Oxley was a natural element of that mission, Jameson took care to ensure that governance issues fell within the newly created audit department as well. He leveraged his company's aggressive Sarbanes-Oxley compliance effort to create a department that coordinates internal controls across key assurance disciplines. He also established his role at a high level in the organization with the insider credibility needed to get things done and the independence needed to do them right. Jameson brought a background in internal auditing and risk management--and experience working on The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management-Integrated Framework--to the new position, which led bank executives to change their plans for the job. Rather than hiring an audit manager who would handle just internal auditing and enterprise risk management (ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. ), they decided to combine all the critical control functions--ERM, internal auditing, compliance, security, and loan review for governance purposes--under one executive. And instead of establishing the position at the senior vice president level, bank leaders elevated the position to executive vice president status. In some instances, the corporate response to Sarbanes-Oxley and its cousins worldwide has actually been more pro-financials and less pro-governance. But a careful look at the individual circumstances CIRCUMSTANCES, evidence. The particulars which accompany a fact. 2. The facts proved are either possible or impossible, ordinary and probable, or extraordinary and improbable, recent or ancient; they may have happened near us, or afar off; they are public or shows that the changes are often temporary fixes--while the alteration Modification; changing a thing without obliterating it. An alteration is a variation made in the language or terms of a legal document that affects the rights and obligations of the parties to it. in the internal auditor's influence remains after the focus has been modified again and again over time. Indeed, the reverberations from Sarbanes-Oxley didn't shape Hubertus Buderath's audit shop the way they did Jameson's. The DaimlerChrysler vice president for corporate audit--who heads the Moensheim, Germany-based global automotive giant's worldwide audit operations--led an existing department, not a newly formed shop. But he did face a dilemma Jameson did not encounter in balancing internal audit resources in the wake of a new focus on financials: Just as Sarbanes-Oxley and the environment it represents caused a shift in the company's allocation of those resources, information requests from the U.S. Securities and Exchange Commission (SEC) taxed the already-stretched department even further. Sarbanes-Oxley didn't shape his shop, but it did reshape it and, in doing so, repositioned Buderath within the corporate controls hierarchy. In the first complete fiscal year after Sarbanes-Oxley passed in 2002, Section 404 work represented half of total internal audit capacity for the U.S. segment of Buderath's sphere of operations. At the same time, the automaker faced a related but separate issue in the form of an SEC investigation of some lesser allegations of fraud. "We suddenly had two new priorities," Buderath comments. "We had to focus on Sarbanes-Oxley, especially Section 404, and we had to focus on the fraud issues." DaimlerChrysler streamlined its audit timetable to emphasize fewer, but more thorough, audits over more, but less-detailed engagements. "We did not do the same number of audits as a way to assure that quality remained high," he says. "Our audit work did not cover all areas that it used to cover." Specifically, DaimlerChrysler scaled back its audit operations in all areas that focus on process optimization Process optimization is the practice of making changes or adjustments to a process, to get results. Optimization is the use of specific techniques to determine the most cost effective and efficient solution to a problem or design for a process. , such as production control, engineering processes, and purchasing processes Purchasing Purchasing is the formal process of buying goods and services. The Purchasing Process can vary from one organization to another but there are some key elements that are common throughout The process usually starts with a 'Demand' or requirements . The company beefed up its audit efforts in financial reporting and, he adds, "strongly increased our engagement in matters of forensic Belonging to courts of justice. forensic 1) adj. from Latin forensis for "belonging to the forum," ancient Rome's site for public debate, and currently meaning pertaining to the courts. auditing, including fraud detection and prevention." [ILLUSTRATION OMITTED] As times change, though, that distribution of corporate focus likely will change as well, returning to something closer to the responsibility mix many internal auditors had before Sarbanes-Oxley. Many companies have, in the first few years of compliance, already updated all their internal control systems, so the requests for audit departments to review such big individual chunks of controls will likely ebb, leaving those departments with greater capacity for other areas--including corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. . For various reasons, companies increased internal audit staff in a variety of areas in response to a new emphasis on financial controls, Fountain observes. "As companies try to move internal auditing from a primary focus on testing back to a process orientation," she says, "many of them will continue to maintain larger audit departments, but will rebalance their efforts to make sure they're picking up all the other risks as well." Ray Broek, executive vice president at WithumSmith+Brown Global Assurance, based in Princeton, N.J., agrees. "There's change in the wind," he says. "In the first two years of Sarbanes-Oxley, companies focused on process documentation, developing the required tests, and performing them. Now that they've got three or four years behind them, they're becoming a lot more efficient as a result of the learning curve, and partially because the automated au·to·mate v. au·to·mat·ed, au·to·mat·ing, au·to·mates v.tr. 1. To convert to automatic operation: automate a factory. 2. controls that many companies put in place require less testing. Companies are going back to their internal audit roots to really get involved in operational work again." GET USED TO THE SPOTLIGHT One thing that likely won't change, Buderath notes, is his enhanced stature within the decision-making hierarchy at DaimlerChrysler. "I am personally involved more strongly than in the past in all financial reporting matters," he says. "And I collaborate directly with the chief financial officer (CFO See Chief Financial Officer. ) and with the audit committee. That's new for me." It's new, too, for Michael Marinaccio, director of internal audit at Biogen Idec Biogen Idec, Inc. (NASDAQ: BIIB) is a biotechnology company specializing in drugs for neurological disorders, autoimmune disorders and cancer. The company was formed in 2003 by the merger of Cambridge, Massachusetts-based Biogen and San Diego, California-based Idec , a biotech bi·o·tech n. Informal Biotechnology. biotech Noun short for biotechnology Noun 1. company based in Cambridge, Mass. "The greater focus on all the areas of internal audit influence has definitely been a good thing for the profession," he says, noting that since Sarbanes-Oxley was enacted, "many companies that didn't have an audit function have established one." That's especially true for many companies like his, he adds--young firms, often operating in the fast-paced biotech sector or similar, high-growth, highly technology-dependent fields that run especially lean. What, exactly, internal auditors are focusing on isn't as key to the profession's stature as how much other parts of many companies are focusing on the internal audit function. The elevated status of internal auditors gives them a platform to demonstrate their value to management, Marinaccio adds. The recent changes in the way some firms balance internal controls--governance versus financials, risk management versus ethics--have also increased awareness of controls. "We don't have to fight the education battle so much anymore, explaining to people what controls are," he says. Now, colleagues at Biogen Idec make sure to run ideas by him in the developmental stage on an informal basis, instead of waiting until established projects reach the audit department through the natural course of control processes. "They tell us what they're thinking about doing," he comments, "and they take our input seriously." There's a potential downside Downside The dollar amount by which the market or a stock has the potential to fall. Notes: You might hear someone say that the downside on stock XYZ is $10. What that means is that the stock could fall by this amount if things got bad. to the new role internal auditors are playing in many companies as a result of their recently modified focus on governance, financials, and ethics. Just as the spotlight illuminates all the good internal auditors can contribute, it also casts an unforgiving light on mistakes internal auditors can make. "More internal auditor positions have been elevated to the level of the executive suite," Jameson points out. "That has been good for the profession as a whole, but I suspect there are certain individual internal auditors the changes haven't been good for." Some audit directors turned chief audit executives (CAEs) who struggle to measure up to higher expectations and more significant audit issues may be replaced by more experienced CAEs, he notes. "There's certainly more pressure to make the right calls and do the right thing." CHANGES ON THE SURFACE In fact, you might say that's where the real pressure on internal auditors rests these days: Doing it right. Throughout the profession, the pressure isn't so much to perform governance work, financial reporting work, or any other specific audit engagement. Rather, the brave new world Brave New World Aldous Huxley’s grim picture of the future, where scientific and social developments have turned life into a tragic travesty. [Br. Lit.: Magill I, 79] See : Dystopia Brave New World of internal auditing brings greater responsibility to assist organizations in managing global risks in many areas, governance and financial reporting among them. As director of the Corporate Governance Center and a professor of management and entrepreneurship in the Coles College of Business at Kennesaw (Ga.) State University, Paul Lapides studies internal audit departments in transition. His perception is there has been more talk about dramatic changes in the way companies allocate internal audit resources for governance-related or financial report-related work than there has been real change. Audit departments didn't focus considerable efforts on governance issues in the past and, for the most part, they don't now, he says. Any enhanced emphasis on financial reporting controls is simply that--enhanced emphasis, not a seismic shift in the way corporations approach controls. "I haven't seen anything interfering with good financial auditing," Lapides comments. "The reality is internal auditors--and external auditors--still don't do much related to looking at the governance of an organization. For most internal audit departments, it's probably good to have fairly light review authority, because it's difficult to say to board members, 'By the way, your audit committee stinks and your board process is a joke.'" Indeed, in his ongoing research, he's interviewed more than 1,000 audit committee members and determined that, while some may emphasize governance, he doesn't see a trend toward that kind of focus. "It's not much different from 20 years ago," he says. What has changed is the magnitude of internal audit work. "I've seen a wide diversity in companies' allocation of resources allocation of resources Apportionment of productive assets among different uses. The issue of resource allocation arises as societies seek to balance limited resources (capital, labour, land) against the various and often unlimited wants of their members. ," Lapides says. "Internal audit departments are not doing less in any areas. In fact, they're doing more in every area." Operational and financial auditing are becoming more integrated as well, he notes. Marinaccio sees the same thing. Many companies' initial reaction to Sarbanes-Oxley was to place too much emphasis on auditing financial controls and financial statements--"probably to the detriment Any loss or harm to a person or property; relinquishment of a legal right, benefit, or something of value. Detriment is most frequently applied to contract formation, since it is an essential element of consideration, which is a prerequisite of a legally enforceable contract. or peril The designated contingency, risk, or hazard against which an insured seeks to protect himself or herself when purchasing a policy of insurance. Among the various types of perils for which insurance coverage is available are fire, theft, illness, and death. PERIL. of other areas," he says. But now, "there's pressure to start rebalancing Rebalancing The process of realigning the weightings of one's portfolio of assets. Notes: For example, if your portfolio's proportion of stock has grown too large for your intended assets weightings and risk tolerance, you might rebalance by selling some stock and putting our whole approach to everything." Increasingly, internal auditors like Marinaccio are taking a top-down approach Top-down approach A method of security selection that starts with asset allocation and works systematically through sector and industry allocation to individual security selection. and putting together risk-based audit plans that will attempt to strike a balance among their various spheres of influence, including compliance, information technology, and finance. Biogen Idec plans to hire a corporate compliance officer with responsibility for both risk and compliance--although financial controls likely will remain separate, a responsibility of the CFO. "If you look at risks individually and try to manage them all separately, you can fall into a silo trap," Marinaccio says. "You have to look globally--at the entire worldwide enterprise--and determine the risks you face." AN INDIVIDUALIZED in·di·vid·u·al·ize tr.v. in·di·vid·u·al·ized, in·di·vid·u·al·iz·ing, in·di·vid·u·al·iz·es 1. To give individuality to. 2. To consider or treat individually; particularize. 3. EMPHASIS That word, "globally," comes up often when internal auditors talk about their jobs in a post-Sarbanes-Oxley environment. Their talk also reveals that the specifics of a global approach--how much emphasis on governance, how much on financials, how much elsewhere in the company--is subject to change with the changing corporate environment throughout the world. Any new emphasis on internal control over financial reporting is probably going to be as time- and corporation-specific as the moves away from financials were before the arrival of the new regulatory regime. Indeed, Hans Spoel, director of group audit services at Alcatel-Lucent SA, Paris, calls internal controls "the bread and butter of the internal auditor." And internal control over financial reporting is part of the core business of any internal audit shop, he says, because internal auditors deal with corporate governance, internal control, and risk management in all the work they do, whether in an assurance or an advisory mode. Sarbanes-Oxley and its kin worldwide, in fact, didn't herald a move away from one discipline and to a new one, he says. Rather, they simply served as "wake-up calls" for the profession. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , what seems like a seismic shift away from governance and toward financials is really more business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets refinement than a complete rethinking of a corporate approach to controls. "At the heart of all this is the never-ending allocation-of-resources issue," Spoel points out. "You never have enough people to do it all." Alcatel-Lucent, for example, expended ex·pend tr.v. ex·pend·ed, ex·pend·ing, ex·pends 1. To lay out; spend: expending tax revenues on government operations. See Synonyms at spend. 2. almost 80 percent of its available internal audit human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. in year one to become compliant with the new laws New Laws: see Las Casas, Bartolomé de. . That wasn't a dramatic shift in internal audit priorities, though; it was a reflection of the company's circumstances at that time. "We were going through a major crisis and we could not afford to bring in outside help," Spoel explains. "Therefore, internal auditing was involved in not only the testing part of Sarbanes-Oxley, but also very much in the design, implementation, and project management pieces. Will that also be the case going forward? No." In fact, Spoel doesn't understand all the fuss about a distinction between a pre-Sarbanes-Oxley focus on governance and a post-Sarbanes-Oxley focus on financials. Internal auditing is internal auditing, he stresses, and its reach should extend to every aspect of internal controls in the organization. Even under the law, he explains, "the financials may be the origin for determining scope, but Sarbanes-Oxley is a top-down, risk-based exercise in which the key issues are control-environment and managing-the-entity considerations. You can't get more governance-related than that." Jameson, too, sees a continuum including financial reporting controls and governance-related activity, and he sees it flowing in both directions. "Actually, the focus by Sarbanes-Oxley on controls drives some of the governance processes," he says. "In the end, everything affects the financial statement--everything we do in the company. Our processes all seem to link back to the financials, even on the governance side." THE NEXT FIVE YEARS Rarely is opinion undivided UNDIVIDED. That which is held by the same title by two or more persons, whether their rights are equal, as to value or quantity, or unequal. 2. Tenants in common, joint-tenants, and partners, hold an undivided right in their respective properties, until on issues of the appropriate structure of internal auditing within an organization. Jameson says he wouldn't be surprised to see internal auditors extend their reach even further. "As the focus on internal auditing is incorporated more fully into the routine of businesses' processes and activities, I'm going to speculate that internal auditing will broaden into additional areas of governance and risk management," he explains. "As Sarbanes-Oxley fades from the spotlight, internal auditors may see opportunities to use beefed-up budgets to make their companies better in other respects. There will be some additional opportunities for internal auditors to look at some things they traditionally haven't looked at." On the other hand, Buderath comments, "it is not useful to combine the compliance office with internal auditing. One is a management function, and the other is an audit function." Internal auditors should not be the risk manager either, he notes, as they must audit risk management systems and procedures. Interestingly, Buderath developed DaimlerChrysler's risk management processes and was, by board mandate, made its risk manager for three years. "It was a conflict of interest for me," he says now. "There's no doubt there should be very strong collaboration Strong collaboration (also known as radical collaboration) is a term coined by Larry Sanger to refer to a new type of collaboration made possible by computers and the Internet and used on sites like Wikipedia. between internal auditing, compliance, and risk management, but, based on my experience, they should be strictly separated." Governance is another matter entirely. It was not the focus of internal audit work at most companies before Sarbanes-Oxley, and it likely will not be the focus looking forward to the next five years. Rather, Buderath and the others agree governance always will be a component of an effective audit department, not its main line of business or area of influence. "Governance should not be a special function in a company," Buderath stresses. "Governance is an issue for all management, whether line managers with operations responsibilities, risk managers, compliance auditors, or internal auditors. Governance is a task for all departments." To comment on this article, e-mail the author at russell.jackson@theiia.org. RUSSELL A. JACKSON FREELANCE WRITER ILLUSTRATIONS BY TERRY ALLEN Terry Allen may refer to:
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion